[OpenID] OpenID User Interface Working Group

[Peter Williams]

"We [yahoo] are totally against the concept of allowing an RP"

I found the Microsoft presentation of authentication (and websso) topics in and about the topic of webslice microformats a really effective way of discussing UI topics, going beyond direct content to address syndicated content. They address sensitive UI issues, without implying that the topic must and can ONLY rely on a program that requires massively centralized "UI governance" and education (aka indoctrination) campaigns.

Won't be long before we have a trust networking world in which mega-OPs will "refuse to let RPs consume their assertions" - unless the RP has a site that is in compliance with the OP governance policies. Far from being anything to do with UCI, that world is just good old hub and spoke networking - no different to the EDI space. It can still be labeled with the user centered buzzterm, I suppose, but the boundaries of user choice are obviously limited to what some (probably huge) TTP identity management firm defines. My opinions will presumably carry no weight.

Always interesting to see how a community takes security enforcement technologies (such as websso) and turns them into a governance framework. Before long, the end product and indeed the rationalization of the enforcement strength becomes the governance itself. Fortunately, every time this happens, it seems to induce a counter swing. We should recall the PKI space, when CAs and insurance companies tried to become all powerful identity management control frameworks; SSL swung toward user-centered management (despite its roots in hierarchical, centralized identity management!). OpendID is obviously in its swing towards massive centralization, in which governance is king.


> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Allen Tom
> Sent: Thursday, March 19, 2009 7:07 PM
> To: Nash, Andrew; general at openid.net
> Subject: Re: [OpenID] OpenID User Interface Working Group
>
> Hi Andrew,
>
> I am in total agreement with you that phishing is a huge problem, and
> the Yahoo Membership team (the same folks working on OpenID) devotes a
> considerable amount of resources to fight phishing, and well as trying
> to help users who have been phished.
>
> We also put in a lot of effort to educate users about phishing, and we
> strongly encourage our users to setup a personalized anti-phishing
> Sign-in Seal, as well as to always check the address bar of the browser
> before entering their Yahoo credentials.
>
> http://security.yahoo.com/article.html?aid=2006102503
> https://protect.login.yahoo.com/
> http://openid.yahoo.com/ (Click on the OpenID Tour link to learn about
> phishing and OpenID)
>
> We are totally against the concept of allowing an RP to open a frame
> for
> the user to enter their OP's password. As you pointed out, the user
> would have no idea where the password is going, and this would be
> extremely insecure. Earlier versions of Facebook Connect used to
> demonstrate this behavior, and I'm very glad to see that Facebook has
> since moved the password validation into a standalone popup window,
> with
> the browser's addressbar clearly displayed.
>
> One of Yahoo's primary security requirements with Federated SSO
> (OpenID,
> OAuth, BBAuth, SAML) is that the user is able to recognize the Yahoo
> Login screen. We do this by educating users to always check the address
> bar and to create a customized Sign-in Seal.  The UI Working Group
> believes that a popup authentication screen, in a standalone browser
> window (not framed) and with the address bar clearly displayed,
> providers users with the same ability to detect phishing compared to
> the
> existing full browser redirect user experience that is used by OpenID
> today.
>
>  From a user experience perspective, eliminating the browser redirect
> maintains the context of the RP's site, which is the biggest complaint
> that we've received with BBAuth, OAuth, and OpenID.  Facebook, Yahoo,
> many others have UX research showing that the redirect is a very
> jarring
> experience, and the success rate can be dramatically improved by moving
> to a popup flow.
>
> As far as I can tell, an independent popup window, with the address bar
> displayed, has the same characteristics with regards to phishing, as
> the
> full browser redirect. The popup window does not prevent OPs from
> deploying anti-phishing technologies, and I believe that the popup will
> drive more widespread usage of OpenID, which will also increase demand
> for anti-phishing solutions.
>
> thanks
> Allen
>
>
> Nash, Andrew wrote:
>
>
> > One of the ways that we have been able to reduce the incidence of
> > successful account takeovers has been to drill into consumers that
> they
> > should NEVER sign into an account on a domain that is not directly
> > associated with the account provider. This is not perfect, but then
> none
> > of the anti-phishing techniques are - it is why we have to spend so
> much
> > money and utilize so many different strategies.
> >
> > As it reads, UI working group will be socializing the concept among
> > users that it is perfectly fine to enter your authentication
> information
> > at any site that pops up a frame asking for it. From an Internet
> trust
> > perspective this is a REALLY BAD IDEA!
> >
> > OpenID is already criticized for its exposure to phishing and
> spoofing
> > attacks. If this approach is taken in the way it seems to be
> described,
> > we will pretty much ensure that no one that has medium to high value
> > transactions or services will be interested in implementing OpenID.
> >
> > --Andrew
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> >
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general